b6ee74a2550cdf7f31f55b2c8a2a2b7e4d46979a12d0679bd6e29f8a2e5b1d62

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2023, 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6ee74a2550cdf7f31f55b2c8a2a2b7e4d46979a12d0679bd6e29f8a2e5b1d62.exe
Size

1.6MB
MD5

2f5c75337dfe48027b7f2767584c63db
SHA1

3c0886316253ba6a9490330242f5037efecf66a3
SHA256

b6ee74a2550cdf7f31f55b2c8a2a2b7e4d46979a12d0679bd6e29f8a2e5b1d62
SHA512

626c11b2649db0be250a89032697c6079616a4bbfdf19d3a690fac6977ef5737adddc01d027172b5ed6106cea6de66140d82f2e7dc16b384be283b3bc7cb5942
SSDEEP

24576:CVCKABy8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:CMKkygDUYmvFur31yAipQCtXxc0H

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3736	alg.exe
4916	elevation_service.exe
3900	elevation_service.exe
2288	maintenanceservice.exe
2044	OSE.EXE
3116	DiagnosticsHub.StandardCollector.Service.exe
1320	fxssvc.exe
3692	msdtc.exe
3940	PerceptionSimulationService.exe
4776	perfhost.exe
368	locator.exe
3756	SensorDataService.exe
3744	snmptrap.exe
4868	spectrum.exe
4208	ssh-agent.exe
1284	TieringEngineService.exe
4468	AgentService.exe
4412	vds.exe
1236	vssvc.exe
2288	wbengine.exe
3496	WmiApSrv.exe
3920	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\alg.exe	b6ee74a2550cdf7f31f55b2c8a2a2b7e4d46979a12d0679bd6e29f8a2e5b1d62.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b091baaa7a240f41.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_153718\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000012704e971021da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6d44d951021da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077c9eb971021da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a01ed8951021da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd2d0a961021da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037d08b951021da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000014d0e8951021da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007344df951021da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4916	elevation_service.exe
4916	elevation_service.exe
4916	elevation_service.exe
4916	elevation_service.exe
4916	elevation_service.exe
4916	elevation_service.exe
4916	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4708	b6ee74a2550cdf7f31f55b2c8a2a2b7e4d46979a12d0679bd6e29f8a2e5b1d62.exe
Token: SeDebugPrivilege	3736	alg.exe
Token: SeDebugPrivilege	3736	alg.exe
Token: SeDebugPrivilege	3736	alg.exe
Token: SeTakeOwnershipPrivilege	4916	elevation_service.exe
Token: SeAuditPrivilege	1320	fxssvc.exe
Token: SeRestorePrivilege	1284	TieringEngineService.exe
Token: SeManageVolumePrivilege	1284	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4468	AgentService.exe
Token: SeBackupPrivilege	1236	vssvc.exe
Token: SeRestorePrivilege	1236	vssvc.exe
Token: SeAuditPrivilege	1236	vssvc.exe
Token: SeBackupPrivilege	2288	wbengine.exe
Token: SeRestorePrivilege	2288	wbengine.exe
Token: SeSecurityPrivilege	2288	wbengine.exe
Token: 33	3920	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3920	SearchIndexer.exe
Token: SeDebugPrivilege	4916	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 1200	3920	SearchIndexer.exe	119
PID 3920 wrote to memory of 1200	3920	SearchIndexer.exe	119
PID 3920 wrote to memory of 3292	3920	SearchIndexer.exe	120
PID 3920 wrote to memory of 3292	3920	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b6ee74a2550cdf7f31f55b2c8a2a2b7e4d46979a12d0679bd6e29f8a2e5b1d62.exe
"C:\Users\Admin\AppData\Local\Temp\b6ee74a2550cdf7f31f55b2c8a2a2b7e4d46979a12d0679bd6e29f8a2e5b1d62.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3900

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2288

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2044

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2856

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3692

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3940

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4776

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:368

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3756

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3744

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4868

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3520

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4412

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3496

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1200
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f17dd3d354215fa2e542447a12fd8ff7

SHA1
d81fab3588f8c4715c2180488b2a43bff320fd81

SHA256
c894989e2dfa6a990cf4deeb6cba4dd36100bfe1f9056f1d27a0759a6cdb9c4a

SHA512
336eaa37486386104c5d552e25d64ab88e24f366f532793570a09b7db11f67879c2438d8f13bdd58af86e2fd786aea37672f1803bda970587e4a26874d78def0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
5170e4743b017fc176f575d9db896bd4

SHA1
9653ef4837d5eabfb93d5c1dac45ab17f66e9f44

SHA256
d8e9f3155a2cf079ed65a3931a2ab0d1c960086ba7fad03ff113ab00fb18b0cc

SHA512
fe078237589b6c99cb583ea5344d39cd922b6ab973de3957b47da71801c3bc595163679c4c46144bd9d88f671fde0b9c400dfcc8d2ca8b3c5d50077cf7deb530

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
5170e4743b017fc176f575d9db896bd4

SHA1
9653ef4837d5eabfb93d5c1dac45ab17f66e9f44

SHA256
d8e9f3155a2cf079ed65a3931a2ab0d1c960086ba7fad03ff113ab00fb18b0cc

SHA512
fe078237589b6c99cb583ea5344d39cd922b6ab973de3957b47da71801c3bc595163679c4c46144bd9d88f671fde0b9c400dfcc8d2ca8b3c5d50077cf7deb530

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
cae46ad0c3df9fdac99153dc097e80cb

SHA1
a5bbdb37de63cb083e73e190e868f7a7a0a3d773

SHA256
eaa968be8b783dcc2dcfebd3169c3cfeb5cacf7cf16d470c572abd7d8706ae40

SHA512
5afe0058b5d343f139c7ef50f1abde0786a656558d3bf14fefa3e7a34a990c1bdd5592ea836feeb0e5b9d2db01f3b5b3d7314a938f88cf52da2d37246646fa26

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
37fa7d27f547901bf84ded1864824e26

SHA1
34cbdc01a46bef775059d5aa50363b228a9c2d24

SHA256
7bf6cab5418e0d553e2167a2d8cf40df6046698ab4823da96e6789476bfc5ed2

SHA512
b44d178bd76b27a16571d8f18e25e8c4631dd27b3b07abd6b11f79494f76fc6fae7ffe673a083af4f54dccb0663c19d1264b1700cd4ff15e9052ab1748595bdd

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
7edc52662344fa99b233369acde916e0

SHA1
34d9589dc0e709d33df4b4fb5c175e9231c93aa4

SHA256
ade98c7af9ce56ac19131193c48983bf5b50bb1acd994b671ea7ddd9d7a14b84

SHA512
7943579deb94a7d40b27831222d7644d05a6b98bd06ab6a53ee3013ae05ae7dff57e88322b7466db773e90c6827700dffd3f2dcbe0091bfeeb78c09e62ed36e5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
c431118530fd411ac044985aa32c8566

SHA1
89a0592d8b5aa5c0450533c86ab753e07bd4e3b8

SHA256
8c6be9738a8a9d3b9e65ef82ea0f758c73e214acd1009bf175e7a32dcd61635c

SHA512
3532ddc5e82ed43b7213b8da565e5b1cb761d789add61bebfe8e3e22bc2e6b0ed85e1ea23e1b9a5114e94ea653e6099013b8480a41ec7516eda8c56b11a9bfe7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
05d2980c754daf7f3c72a45fa59c5658

SHA1
fb57f1f8057a7d4dd7e41dfe59be4b41f1c0ed75

SHA256
28bb72b4089163bc17d0f7db0ca17728c1da6fe48f15f3b9a4693a32f3381717

SHA512
6dda93fce27131362b899be3f80604d12252a60bd6aab1b92f3c4b2074d0668cda69a3d2dc246e8bab173614dc8a40d53f2d5e42e2d37fb241595d0cae05fb0d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
358e144e0d2ace878348ccaa75d61467

SHA1
e025c69676636627b9989e454c7fd65a9b80e411

SHA256
a3c8de3f364d2af74ee33ecf5875daff7c9314b70225cc28528a67820fa0cc71

SHA512
dfe3cce52b2f157e36b99f8b7daed0ce056705cc8a6ba5f1076615f5a4e79d2b6d458f55f9d85d7f485734b0f74fd5da2163eb9b74c2e671cd030414891cbcc2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
af9cceeb366a19bce3c6d222c9969ee8

SHA1
73d3ad507a65ed9e9697af457a3eab6da33270f6

SHA256
af9298e84cb3a717c00447bc50978c137a7f83c6340b70de82add98ec68f689a

SHA512
9e224681db9377ed46105e911e15c044cb2e082fdff1a8933f52c0878f6c12415b715e8d87713b3c67ca76da224da7c576d8a1b35bd840211c1c8c3bfd42658b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3b1b3e10c91b8ed699f2c338dfa9d8e9

SHA1
3d1cb6ed91b7e493369a836cc7f7a393c5128a15

SHA256
3bc1908f60821fa92c69185082248dd1447b6c88bbce46a72dd6dcacfce8187d

SHA512
a143a566bb1e95a6c6102e7bf099028972b29032f42f7d58fcb7bd85a29b6a4b6dc6263eab0e727835002905c1f735d5ecc5a58c04f53d708c51c3582e0e4464

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
690995516d48e15b75ffd1ea4a0e6966

SHA1
0e175e51954238293eee085e43838f4f32a4804e

SHA256
892f51b929538a9ae3475a60eb2ab25ed9cda91e0c57365985da14cfcca07571

SHA512
3e59d2f8f37ffb9e6848db227f6ecb79237297806dbe546291f13b750e595375f6353c526dc4ca518824c1a924136cdfcf94726cdf15b531545b2f62a6db5d05

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4193d8beedda7ec133f194e3b0c206bf

SHA1
c73a59fd025d84e2b260c7945f18a8c2e3a6530f

SHA256
15110ba63fe33caacbbee93f6cf827c9859f8058b6af1b1d51b01ef7ab385d2e

SHA512
50fe92a92450b4bf60ea0c1c7df702e792845dc1a935ac0ae10e88ef6c2e2872695d95b495868badca5dc39f0283ab0f0942ac69dac74a47684694fa79150a3a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
d48c56917bdb58649ce7b7e24b21d05e

SHA1
f3012eb42758eb74be68052aaad111375909fc76

SHA256
6b577b923c7154722fc5a90b617a54d8b5d215f17d7666d886f68f9c8bfc77c6

SHA512
ae44a06debf4548fca0aedce132b1ba1f0e14fc183044d66d77dd903638c7fbf3b70cb4e1172914d4d9dd5936b25d1e9894db71332dc0cf399d13b0019e3a166

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
1cf5e70eb6e798f2b3a43d053298b796

SHA1
424e36616d09890865ecbacb9bfdd07bd2b8194a

SHA256
eb8055a03d6fbb53230981c7c484f65a71c763215eb72dee27c7dadc609e6f95

SHA512
2cc2474c6058c7292091b3dd246c62164fd504be4d5785fb9d711df88b84a9d5f66d52dae518cf141a1579cb0df9e3aeb66e3eb53318bb0f7a4e8f04d4b93544

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
17f90c6340ad6716036fef3dc6a0bfbf

SHA1
a9fde4741fcff85599d44669b3913cf43ffe5641

SHA256
03e5d2bdcd5d09cbffae41db20386a4f47b6eb60f2fa67bf6ba180e4e890779b

SHA512
2bf29960a9da53d9482c008dc9132569f5f1453296cb8da5fc0fae8d2791cacd98379de4525f70094ed16ec0ebe125be656493f381483b6033ce277a91756ccb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
1bbbec14bde0be3fd726ae332a50ecbe

SHA1
db7491dcbe1d4e2bfbb9f964ab8dc67f486a7d2a

SHA256
b3762af66789cf88860d7f680584aed08c67cc917696e90f353e11d3db9e2246

SHA512
4b53c373b5bd2121764b813855fb7826f625804952d9170885ffbfdc8a01e7baea998b8b21f1263f68bdcd28a6ccaa4da8eef16fa01cc0dc11635e9d27d0660d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
8da5268a566359879651ad7a623309fd

SHA1
a1c803d9d8cdea126acab372cf11f5b097b199b3

SHA256
ab5dccfd6fc083ef66f170947522e169347c8ff067129a48b47f0c6a0b508459

SHA512
4ec623026ef5e63f6f066818e2e33067454ea7b02921ad0edd521ed2e15a429011d69367494ef410633c0f80686d941df3de78fd33ef840f14d3f2166a081fff

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
481bfd4f545f776080f6df679bb5cbbd

SHA1
6b1ab926d640ec251a81bf1267bdad54c41c8c29

SHA256
dc3f8401828625a4ecae19f8f7daaf98c6a5c12adac746323abbb8d1af7fe525

SHA512
441b861f38abbc54b3aba6ebde01519822cbf3330c7b651730e5f8b6334ea2ffcc8c3e01ee34a283f6e62479c164e22db1cab83715a415a4e7fadd138befcdf1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
95d534021ff40b87963c45eeec3dbca2

SHA1
938de3983fd1e882085faf45b77a8100151ff057

SHA256
b8fc0e30c82a475a4d56f27257e0117a88fc93c144314a1e7c42ce9f3be504d4

SHA512
0be87ab3dd0e0d6f1ccdd69ede7a427e170d933e3e0996e8573b5b2ac82f2e2a733a05515794f63a1cecaf87c82e4cefb03f98a0f2ba845c4058b55b15accec9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
ba236cbb915286636bb44da83aaf001d

SHA1
72f886bf9ac37f7a8a538ee3745067a0633b32a1

SHA256
01628cf9f32ae401ba8e049a3903adc611862439d33df5a6c98e274f44f2c29e

SHA512
16f8262ec622f4f303b0174e86df9a888788bf7c3015d1c54340ffcc144b2cd551e59f527e3b6ab2ccfc4ae0fa1723b426850ddfd3d325ce91f4bf8ca49a55a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
4214990e24170c1101aea72481b04e17

SHA1
ad18b9ff9f7235c14d115fc75e92999d3fac1125

SHA256
fcc6f330dde815e4d408103293bda32486909011e25b26ce3a278fb700540951

SHA512
461636643023cca69f1b03a95b79faf5baaf45a44bc632f170b4bf3eabcbbf5900f687a359024ed2b0d6fdc7d6b90295ec67756e8d3b522df86fbbc252c14c6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
33797654a6db0fac6805cadddbcb92a0

SHA1
8384fa9ad52ce923038272340ed447befd675ae8

SHA256
721fdc25d0a5292ccb77b606e5859bc37864e43f8d0a40a364fad805996e5bf4

SHA512
4254b75ee1c3ba42fdd2c32b9baa3b5af5b2d2593b990603ae64958af04edd9ae90ff99a9c16ca00e8f34424c0f07370014b465bdda4b1efb4800e525e48fc58

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
eb9ff1df181614f553707e41c675036d

SHA1
3d7a7b672b1031a0eff12f684222249442be09ec

SHA256
19812c4b7dd979f60f7bf08b427d2ae7c3977a2a6f43edbfd67c79a4b0bbba96

SHA512
57c9a219dda584c460619f6701bfeba6679e52503f46cea53778293c28bde22b3a4381ab8e622e50a12420c3c9e3072c6720964c696f63063efccbeb6c2a38bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
e2d7931b36edbd64213246d48ea7bd11

SHA1
a80b0b9cce318e762cc6c06ee21f82011dc4e653

SHA256
ff2a3f3d03695d49617b56cdf068b211537aba0084f2a28d7df57be270ebab00

SHA512
3cda06af699c60f184576294f1c25b990ad0a47dc38e4a548011bda4567d4d079ac7f8003b1a44f8a929c78ed0294ed8983e96c296654b071da66b1b44e1cbc8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
58e04117c5572f1c6fec92dd4b8fe920

SHA1
26aa20f47c035030172d9a5c4f668318c2de1ec3

SHA256
bba703efb762624677fdd5f3817d8ddd34c5dccdc536274aa5003aed9aa59c2a

SHA512
2ee268c30184638a5f4b47586638a8fb812869fad99cf05bb8fc708dfae49232bded096e493309cd036b9ac76d2cbc943bd25be550e6bdea3d30a8869d30a557

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
811ea1811d277d9d9cbbbedd02ba1c5d

SHA1
2f4751484ad47776473cd76d25ae399c45ff9149

SHA256
abaab27a296f5b6cc7597430aba064581cedbf1b3efe1db95c003787379b2250

SHA512
f84c37493242695149b3e08412d4ac003dd0db0369b173fbabb9e41c2cbcb22968c10387d0525e713816f8d905c2829dfbe7826b836abfb22873928a13352eea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
bc0c5fe7a7dd18756eb1290c529951ee

SHA1
fbf7df1041a3ce047459333df4da878a6e083222

SHA256
fc15e202c17ce3df165386092d6450fa5eb8f3e054c82a5fb9426e41e9e17acf

SHA512
57718d12bce40237dc159de8c0dc95ff8be57f44971bbdcac20dc07f49620a6138b54d8abaa7a168c4f271b53b50bb288eac5fc496d8596ba6df690a8335baf7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
f0cd2442d6647fc106acfa41c9e684b4

SHA1
68c0904bd238fc08cab36db8ae98386a02d86cba

SHA256
45a45271da5c1c89e19a6cdfc00e1bd51b289528e3f2976fbd65c1a004bd47d2

SHA512
b5186010847816e63d6fc46d6bd6255c1c04270fd935015bbbfaae61d17883cead81caa468af95af237b5a3858ffa0f2e585e5e02da3597e5a484794f2d9d3c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
54637e0e4c205071c4b940d66f6d75a2

SHA1
9ba161e9def385c9e090c8498809dac140c78e84

SHA256
03d208a6df0a975489e3213b4b0be953dfacaa2c0ea0fc4a9e704210a9b250af

SHA512
71412c39aa8e6bce1934ea5790d724234811f7303816d377ad97ff374e204d6110eb2bd87b3b2f7c9d56e8f6fdde7bb18ee60dc3de0c047900359975837cd988

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
d9b4f31194d94968725e24bc3007dc45

SHA1
0893daaf494b7582f5e83eee325fbec59fd29756

SHA256
159593ce70abd05d668e0d3b8b8c58421745ac87a1470e62236f544136733e3f

SHA512
b143b82b7918c04df55b554df7fde4a07e4d53f07eb4e7d72fdec657b9bea96b23af2d3e0de7995ff5651ab0265ba39e9c82b751d3a59c4057b7f7a79340ae1e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
312a1b3d2517f7c30a79085637e0ab3e

SHA1
ddc527d45c149da65b7c5744642ea1e71cda2d22

SHA256
40443b0d70e2799aba60eb46b0ef159cea2d7f8bcd34350b64cfd861873b6e67

SHA512
b26291c48868af74b0b51fab78d0842a2f9fb5e1d4719c64160e71eb50e1b2e53bac498513739709b8c61bd1a1832c7693e56618abb0a02eedbac8a7692ccf24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
0d3df0a6a58ec907f189d0728854c495

SHA1
d5bdfaabfbc543624241e1b46567b4f1e3ed841e

SHA256
8e5327f9e4216bff6c1f22e29eca5f23530ba5082126ce1a0ad27606afbce159

SHA512
acf4b4109c072eba28f62db70c6c65fe0a75aac030ecdc31978ea7870b0101a935d9214df461c8fe01b1fe852da2e1e254e5d902248921ec24d78a67b637c193

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
199cf6e9bdaf44a5c76e14c14ee4bd1c

SHA1
f766450beae35cd77cea501fbac33d3159be13c1

SHA256
c8d2b663ecd0e9d75dfe063b017e4bbd5952c5144c07597ca1bf5bbdb6b54c22

SHA512
37ce38627207cbe72d1eeade6fced2eb7b2884335de6424495049c668ea394431a219a2198de49b73e48203e6fe8692e9179477a94b53f4a5f56e068deb7584e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
1971c170d46b358b79d7c954e486b398

SHA1
baf281958df3c435f1dc3e99af8a5bc2c723077d

SHA256
d47e1aacfce17515fb95cda7dc0b77db16261f1164dab13dcc569d394b83274b

SHA512
50b7c03d1563a15181e80376576b24d69fe82c4673a41d6e0687778d20b21f1defd2025c9b43c2ecc76957dc14a6b270c50d8eb3026c292f93372ada641ccd79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
e74f49163ca5dda8fd0ec4e22cbde901

SHA1
6df335ada96d7bf34f6989e4e5a34bfd7c97ca78

SHA256
bb14059c788d32a9eb9875d8258cfe9f9f376670dfa6a910d115969672dea76d

SHA512
eccbce04e2139af15d0149cc946c5aec2a2a46c5d04e691d3776fc117cc11be5f5eb04c06fd60d210b0ce9c708bf995476e2337328219a82d1792e885725da03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
35249901d1ea00670359a37a4e58eb31

SHA1
885cefc8b89f29a1a95133c5ad58e95234e776d6

SHA256
f748c6b4d90ea0c8b787f2d0ade0d6c24414e66704d95f2dd3daa75c6bab1c67

SHA512
557db0fe470b6f41380c4796ae3f630064f49f2db39020eb771158550e0f35fab8bfa030a587bbedb1395abadd31bdba9295c099fccd12bc4eadc90f8b94f5b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
172e5ac8ae1a6a7f8a7f04491f2b12f2

SHA1
f90da5543cfda7e8205c2251c0f3c81a8e83c76a

SHA256
8fc5aadc5d385bb83fb3d7e21396b2bb2b9fec17a5ea7a52542715772c0e5072

SHA512
3154efd9a2776e415dccbb89eb1dc7b3b784c223df593d135609023ee0fe713e2e81777e86ee089e99b875f68352556f45be04aa5df36559e291f318439433ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
d95e04d806dd19440667eeb1035c5083

SHA1
75f9a81402fa2a9c6d27bbb4dc52aa0a97275d64

SHA256
ca5149b271f321fb654065c0018d4697b64d1464ae4e410f6c048e4dd7cd43fd

SHA512
313c6bcfd5114bbe9b9decf65b08925a7751a3f7cdebeac9dd8b02cee07f6dedde743e01f6c4755012debced5a83ef93558b630cf7fa696d5a5e4760fe98e50a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
ff9c18c7ef55d0bbb9dd4359f3397f13

SHA1
d8e43eb7c592589359d9fd1ded8578fae4b99340

SHA256
cee5f027e497624fb72d319b4ff6551f84c177d77a85d83c2ea7d92c8082f36f

SHA512
35a7740f7512ee90f8714a8ef0219a6ada30ab146b73a038b8a18d2981bbf7d400ba61cc849d02ccd045f4daa08c6698cb49bb61ae325ca7e91d927c92793fe8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
0e625cc20a885da1a7ab6ea773c36c8a

SHA1
2d044fc975c407b0875241796879a53acbe95350

SHA256
b90d6f2c173d6019c91e8345f3f6672bb9037f8b4fc1afa8474f37842bb20455

SHA512
e2f1a6e115b8ba9dc7d5dc5aaf45dd9bee522119abc107cd7733a840bc02435a00073c8ab7e1e08d9198e118bcaab06a3e601887e9e1bb05c6a91ebf427f663c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
0e0016315ecee606bf95ae4c66501ca4

SHA1
6e238b4ccb8b9b78f369dc217fe69b5ff84da59d

SHA256
fb65dd9e9e8e408d5146f315cef9c97973c5ed253787999956087428a9ce9f4c

SHA512
7d283ba7d7dfd6f554765676968892356a52eb0bc01c66db48f389b79dc9bdd8299b72839a801b4df83077204c93aba1b8965f155eba03eaa218f4d59b5184b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
526e3e744f9fcce82ca578b5cb0d2957

SHA1
231c1936e1a7bbe16bd4f6e90f1fbf33e964a464

SHA256
346e204160152925407fed7ded09ca0c1e87414398925bacf81f49bbd639b149

SHA512
2bd3f5f8415de859c38ba88bf60709b3d8d744dcd4b4c50aa82e52ddd4bceb91bd757d1508b4196fc0fbc4008e1a52a41acd1045e347af8e855dd378d6c72098

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
7629299ac7954e93edd6514e8bc7ea45

SHA1
5aeab9a895c4666064179e66130352fad8b56f64

SHA256
a9a61e52602329dfc83a1f867dac5f07b4d10d1f9e03022217d360b972013c4b

SHA512
97d3a90cf89e28ecf6c2110f159a6e3a2984c4cf5aa51301e44c2f273b9ca526436d72c68eb715a2491ac75e1991364a26e5f4806d916678b963a41d546a4e84

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
c71d0724406196c8ec0a3c1632d84cd7

SHA1
b8cc737eaf95f3256c933e3e40d3e596cd4f0393

SHA256
26c8d6dc967c6f71f8ce7b3bf653e57417648ad59305bbb741cd5a88e2a53d57

SHA512
11ce4e0a7d9bbb2ea2bdab4d29f6c49314c8637483bfc82334c07d4c1dffee33b0ac12258799f01ae33f3e70983cd056b2a57ea30d4b040382419b269b75c51d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
64e22aa30f9ca09e239ec7151617e153

SHA1
bb64b98b98ce8de5ec847a28c42edcfc03b279f6

SHA256
565576768a1adba0c82324be487f6221c2951c1c43051b4d1b500585ea648db5

SHA512
a8309e6d8bcc02be758757daed659945d10bbb6ab74957172b81612449392207400c4d5d8e2592c6d709e134099c3a70e71c48fbffa1e47da4e6758d74d7f6f9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
a717cc755be420e47d93cd3ef32aa30e

SHA1
bdae08bb37e4f4ea9d215655d286525900d91abb

SHA256
a4f902c87df3cabc5a13583848648a58ce6ff834f0130645d28686d87ca8547f

SHA512
6bc10f9663080d5d4e54978d43e36e56b8911dd0ccf250786c44b5851685a528af449dff591fce0a47005782b1ccba3824fe97b7efa5702a824fbd4f87e0c73b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
cc3e96868eca2545fe0b0617fac099f9

SHA1
26f5a4d258561327eee7019aaab141137ba08e8b

SHA256
88c0836168febf72bcd1dd475e956e3a2a41fa54e470e0afa5b38081afa6104a

SHA512
706fc9ed0c98c7d2220523cc4eff3770db6b93798391526408a78734e41713cfd10259f536bbcae974b67e87e5154a7885ac54f20d9bd051d401b37a3e60087c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
3660bf7585f5249e540e921c80a8fa3c

SHA1
11e8250d13d64a03811e4358e931cc8d664bac5c

SHA256
2bcee9df08063cdd184b7eac0f40b7eabde8c7e6be294630fcdc77ada11aae07

SHA512
e01f6925e8344f1af9afe25690ffd4ff427cfb5ca1bb11fe045ba1b3340e85123dff881f819d953f1d88e3da94f8c9b1f6fe72d2467ea252280c3eefe7b50b20

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
532314fa39f4667a789bb15ba97c872c

SHA1
b41304a7a675cc670e6bd1bea104ad93355ff781

SHA256
be581cf457f13d2c4173701a0673cce330c79ef62cad5070b61aa6e3e975f1ea

SHA512
a6304ac0721c482eb3acc1b81e1d7d19445963f9f12aa3491180b71d30e40732d558123aa27d8d0e432aa57a82ec7de1287fd81041cd5fa22f6ea1ab6d6e479f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
532314fa39f4667a789bb15ba97c872c

SHA1
b41304a7a675cc670e6bd1bea104ad93355ff781

SHA256
be581cf457f13d2c4173701a0673cce330c79ef62cad5070b61aa6e3e975f1ea

SHA512
a6304ac0721c482eb3acc1b81e1d7d19445963f9f12aa3491180b71d30e40732d558123aa27d8d0e432aa57a82ec7de1287fd81041cd5fa22f6ea1ab6d6e479f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
8b2530a1f0c8a845e87f1be49b6fa872

SHA1
71057eb521967be3225757a84084ead6d1ada32d

SHA256
d21bc1389ebcc6f2ecf02fe32243a5d2a9e177e0fd6a3405219ed0cda239ce3a

SHA512
79aa037a13f780c4c988f436bd2f130b24dc3a6686249e1a49308d4c0bed73a35182b7d3910e1266e7a83b2ef6c9a43c2adf21fa7bb7d626ed36141cc933a76c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e350fafb19412665d290ee2dc5a4a95c

SHA1
e5e622e023de9777008951f1e39d3eba8808534e

SHA256
e70dc344cf01ab91a224f31fd6b07dd793bf0edf5a6d05ea2ac801bbb591d1d1

SHA512
d5802ba34c9d23300c6bb24a6683f75451ba1987e4ca40ae483ace88fa5f5c0f9a1cf5dadebf79c5dcae05eeac002a31c38e908dcc4d76d65c219ca9551fc3d3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f94394dd49014fda05839cfb1fb93345

SHA1
4786d86b1ab0bf6ff24a6e01fd51d7fcf0f4993a

SHA256
05c5d8f66b79ab2f8310d3fbed3b5f60e08539eb4070505b5b665d50af037507

SHA512
7b294a154d018b631f90877a8f015e093e2c407e6a124b9d7b2e297c85a3caf72ed51495957787cad3d19475da9cfe153639873e2e1e7815f0c1e72ba5dfde25

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
86275ecf9340a834e599b9af8a3da041

SHA1
6bd1bdf4a2aff1af6b2aaa575993eab577de63eb

SHA256
69ae3defb7cf68c6eb95269eea457e3eeb9602fc97bb902998d6ed27549d4727

SHA512
9a82e1d019274d97b3b548c969ef98553ffdb8c533f8f5964f3aa0a1dab9a1398099cf0c4d21af626d59b966e6c72aeaddaac9c5a400923805a7a285e0dc8576

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
88152e81b8ea60560c51c2290b1b8474

SHA1
ef13f4d9e46e1b72a58cd5cd7e44fef4566184c8

SHA256
f04016bd6cc430ca2800aef0b9c4b1f5c826b45d548ca93073e24e2db98b5649

SHA512
84dd98c9bc8b26ae00a85bde3b369b6075357b808f634368a5e8cc14f9a2b2c07c67563aacee181cddfa098d57c25fb8477bff32c48b6fa95f8af90df0be3482

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7c8d8b08a3fc03edfe25c6f6ec3020bb

SHA1
7e1f49fd311b3e1e0a70edefaa60706685d3d1e1

SHA256
1e20bcb486452c18c6f0862740e24fda441de43053d163181ce0f09374bbc205

SHA512
38839f45f40d8e04413cb5783cf2fb730e5a8aa26948d28f1ca84078426a7918e5091bd93f13810a87a1c9405398594b3e4d9db6e047c587524d2939baf5ff23

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
8533af6aea04cbbcc206cf707d481066

SHA1
6899280c987466278fc291fc13be48a90d1db05b

SHA256
5e4ec9449aa0f81deb8114bdad87f68d58eb42c6b8e9b68f4a601f5951472f11

SHA512
5b062930fe0177467377ce6d3781fad41f5f7a0825588b6c059832adb3ee7b3e0abc21a672ee1b7bb4455078776a7ee9a43370e6560b5cbdd6b2ba894994a4cb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
37c13e3aed7420a2b0a2e6ea3faba91a

SHA1
8e8bb8cfeac051bd8e33b13c4d3ed6adea53e801

SHA256
206d1ab5cd83be4339f5ac55a89e6b5b0d03c12890514b68a247d9c25147698b

SHA512
29a6fb96355b0e486522580ebbb953967d9d2a270aa84113c758bf501940c0cd7d83185399ca701d7039d1c518768d728dd7ea51e9f3b9bfe5e0fc2524a05394

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
8bf4b3c1b195a5e2d8f9ec532803db97

SHA1
f53f36e67c9da81d109d8a98cac7402965c7c972

SHA256
204df1baff79cf1799c4b9c59ebf55d4c989db5937c81e3aa6cff5cd5210ec37

SHA512
42565d74111bcd4decdeb9bbe123fa48f70c3a592ca5e2c10f2ec9b027e0f7205292965e53720e463cb80b8a940d120642f78635600c9b446a039420b2772076

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c81a8d869a9f33b68ef16df4de785d30

SHA1
37a3b17e8185060511660903b09cdb6dbafce6fc

SHA256
5ad8ee5a7f36709319e5679bb12c6e21aa045ee6683c924de4b61fc5272b3644

SHA512
959c2b475a116a08b837a50878f8881364c102361ebf6d9e321d3534ba766ae7f49d7bfedf12ee6bf15cdbec3ecee5d414505c28c19afcd3f7bf11619c149d73

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
62fd550f00c78cc5863aa697ad0f1149

SHA1
35a5a9848ecab1a48dd69fdc78c0521a8240363c

SHA256
634b96bf04e15a791e3257a501975588da9aaeaad12926629084d1fb47176a8f

SHA512
068158ce943058894f51c5ca3402c4b02ad1dd8acd8f3216628620b94b2ffa0fdd8cc26a8d10d3b2e466cd4d134588020c83338fda89b1c6ace415b20f83bd69

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f476e3fc575be76c1b98740a33a8e739

SHA1
4f703d732c6f37dde7c5f02fb8f08a15f25103ae

SHA256
7b6477886efd0f9ddcd3c8b3a470188a4bda60f07e2fb6c814fcfa07ea0a4e46

SHA512
537ce0b2adef5b8b117b58022f551e3ea55d3d4a83c4fcdb0bc554db89989438d273f26a30c59ec080feb53d926040e3e68471bfbcd781e41803893cd34a3419

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
86bba018426685c19f1379e04b078f88

SHA1
66f5bab1fe4e3d8a6f54e2f428b9a78f3306fea9

SHA256
ce976311e5993f60a3a7a7bb5bdfdbb24fa725377963249d3502b68df16da750

SHA512
11800809c695cfe3a757cb51e693c5426ecc001556f1ec5331b1bdcc1994290523b63458620f4d15377a45a3a1066222c0c6b634976f835eed09f97d17505247

Download Submit
memory/368-388-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/368-319-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/368-312-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/368-379-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1236-423-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1236-431-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1284-389-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1284-381-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1284-448-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1320-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1320-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1320-256-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1320-264-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1320-272-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2044-67-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2044-66-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2044-73-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2044-236-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2288-61-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/2288-444-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2288-51-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/2288-436-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2288-52-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/2288-58-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/2288-64-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/3116-244-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3116-311-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3116-243-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3116-251-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3496-456-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3496-449-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3692-280-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3692-337-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3692-271-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3736-23-0x00000000005C0000-0x0000000000620000-memory.dmp

Filesize
384KB

Download
memory/3736-22-0x00000000005C0000-0x0000000000620000-memory.dmp

Filesize
384KB

Download
memory/3736-13-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3736-115-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3736-14-0x00000000005C0000-0x0000000000620000-memory.dmp

Filesize
384KB

Download
memory/3744-409-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3744-339-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3744-347-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3756-392-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3756-332-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/3756-324-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3900-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3900-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3900-41-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3900-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3920-462-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3940-296-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/3940-350-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3940-288-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4208-375-0x0000000000E50000-0x0000000000EB0000-memory.dmp

Filesize
384KB

Download
memory/4208-367-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4208-435-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4412-418-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4412-410-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4468-406-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4468-393-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4468-402-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/4468-407-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/4708-0-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/4708-1-0x0000000000860000-0x00000000008C7000-memory.dmp

Filesize
412KB

Download
memory/4708-7-0x0000000000860000-0x00000000008C7000-memory.dmp

Filesize
412KB

Download
memory/4708-6-0x0000000000860000-0x00000000008C7000-memory.dmp

Filesize
412KB

Download
memory/4708-18-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/4776-364-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4776-374-0x00000000006F0000-0x0000000000757000-memory.dmp

Filesize
412KB

Download
memory/4776-300-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4776-306-0x00000000006F0000-0x0000000000757000-memory.dmp

Filesize
412KB

Download
memory/4868-360-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4868-352-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4868-422-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4916-29-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4916-28-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4916-36-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4916-228-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download